Professional Documents
Culture Documents
dummy.sh figure
Using gedit, create a file named dummy.sh and write what is echoed in there.
It will copy our dummy file to /system/xbin folder, make it executable and edit the
init.sh file to include our dummy.sh so that it is automatically executed with the
root privilege when Android boots up.
| P a g e 10
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
This shows the created files; dummy.sh and update-binary and the content in them.
Also, it has shown how to make the bin file update-binary executable
| P a g e 11
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
This the zipped file of AR which will help us to transfer into the recovery ubuntu
OS
| P a g e 12
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
Check the ip address using ifconfig then move the zip file over to the Recovery OS
in the /tmp folder as shown below; the password is ‘dees’.
| P a g e 13
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
This will be from the seed ubuntu VM to the recovery OS ubuntu using the scp
transfer protocol.
| P a g e 14
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
We then execute the update-binary file using sudo ./update-binary command and
reboot the system. When the Android VM completes rebooting, we launch the
Terminal and check the /system directory and verify result whether a dummy file
was created. Also, we check the xbin folder to see if the dummy shell script has
been created.
| P a g e 15
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
This screenshot indicates that we were successful in creating a file in a folder that
required root privileges by modifying the init.sh file that allows us to run the
program automatically with the root privileges during the initialization of the
under-lying Linux OS of the Android.
| P a g e 16
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
*Now we perform the same attack using the app_process program running with
root privileges during the bootstrapping process of Android. In addition for the
app_process to run the Zygote daemon, whose mission is to launch applications. This
means that Zygote is the parent of all app processes.
we also run something else of our own choice. We rename the original app process
binary to app process original and call our program the app process. In our
program, we first write something to the dummy file, and then invoke the original
app process program. We save this file as app_process.c.
These tree files used as app_proccess to gain root shell on the android devices.
1. app_process.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
extern char** environ;
int main(int argc, char** argv) {
//Write the dummy file
FILE* f = fopen("/system/dummy2", "w");
if (f == NULL) {
printf("Permission Denied.\n");
exit(EXIT_FAILURE);
}
fclose(f);
//Launch the original binary
char* cmd = "/system/bin/app_process_original";
execve(cmd, argv, environ);
//execve() returns only if it fails
return EXIT_FAILURE;
| P a g e 17
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
2. Application.mk
APP_ABI := x86
APP_PLATFORM := android-21
APP_STL := stlport_static
APP_BUILD_SCRIPT := Android.mk
3. Android.mk
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := app_process
LOCAL_SRC_FILES := app_process.c
include $(BUILD_EXECUTABLE)
(NDK) is a set of tools that allows you to use C and C++ code with Android
| P a g e 18
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
We copy the previously created binary file in the android folder of the OTA
package.
We create update-binary to rename the original app_process64 and then copy our
app_process to replace the original one and also make it executable.
We start the recover OS on the Android VM to send the zipped file like we did in
taks one files.
| P a g e 19
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
| P a g e 20
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
We see that dummy2 is created in /system directory which tells us that our code
was compiled successfully, and OTA was flashed. This proves that we can use the
app_process during the bootstrapping process to write to a root-protected folder.
We copy these two binaries in the OTA package in the following location:
task3/x86
| P a g e 21
CYBER321 | Modhi Bin Kulib
Practical Project: Application Threat
Analysis
We then start the recovery OS on the Android VM and we archive the task3 folder
and transfer the archive over to the Recovery OS. We then unzip our transferred
archive. We go over to /android directory and run update-binary. We then reboot to
Android OS.
| P a g e 22